Return-Path: X-Original-To: apmail-mesos-user-archive@www.apache.org Delivered-To: apmail-mesos-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 363C0192FB for ; Wed, 13 Apr 2016 19:53:54 +0000 (UTC) Received: (qmail 80161 invoked by uid 500); 13 Apr 2016 19:53:53 -0000 Delivered-To: apmail-mesos-user-archive@mesos.apache.org Received: (qmail 80071 invoked by uid 500); 13 Apr 2016 19:53:53 -0000 Mailing-List: contact user-help@mesos.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@mesos.apache.org Delivered-To: mailing list user@mesos.apache.org Received: (qmail 80061 invoked by uid 99); 13 Apr 2016 19:53:53 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Apr 2016 19:53:53 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 44D221A10C6 for ; Wed, 13 Apr 2016 19:53:53 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.198 X-Spam-Level: *** X-Spam-Status: No, score=3.198 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, KAM_BADIPHTTP=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=simbioseventures.com Received: from mx2-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id OJ-K-8Huc0pz for ; Wed, 13 Apr 2016 19:53:51 +0000 (UTC) Received: from mail-io0-f195.google.com (mail-io0-f195.google.com [209.85.223.195]) by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTPS id 0C6295F1E9 for ; Wed, 13 Apr 2016 19:53:50 +0000 (UTC) Received: by mail-io0-f195.google.com with SMTP id s2so8264485iod.3 for ; Wed, 13 Apr 2016 12:53:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=simbioseventures.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=AtkFh4V1JNXfI/lE5M5NigAGtY7kb04H3bBVc9lhSfs=; b=X8pgiNhinfDAjTwio6YCRNrwyIYUs8EkiCKubsaiY0lKytxb+4yzQhqHnpLPXIYMxq z2XI3V3ZpK07PA1p0Rv4IFmqno/k/mfuLyx3RIzB3TpFPFWP6Nbr6n4nntEQHCQUpz3Q i/aMFWiEz8OQKc9F5Id1WCW+RSNHhW5S0ELe4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=AtkFh4V1JNXfI/lE5M5NigAGtY7kb04H3bBVc9lhSfs=; b=lwQLk7tsYeCq1aO8XetLAohhE19vmWfcJaMKeIwSWF/HLhzL41bOIhBDDoXNU3ZgYV +JcqyL92EM9gCV4PPHSSWKf7pQeyMJxZqPbLDsgYxt3qJSQm3XZwTQHoHtj6in7V7SvA OzZtR0sVhRlOJzujc40JEvFNbGIcnYTK5VKa/QpYJJxasJjVhpQvHyfsxwwR1rSmcZPx bsHJo6Oychu9tLHN2iryyUkTz6HbzMOzaK2q4E71Be8QAIZqOC27K3pwD+7HTDDcNdx4 ubJxAOe7g6WzmKk3z1TCBkH0DLyTKU5RpSMsCZ/1JW7ZTrXa/w/SDLPo+k7jIHlIt9y7 VgEg== X-Gm-Message-State: AOPr4FVO75JM+Or6OlyoVI9Yl6/awFXr4uE2+XVsS3EPtqjzEwBL4G4X6yoDaRa1AoZvUnH/VeB6u5lwt2FHZg== MIME-Version: 1.0 X-Received: by 10.107.8.135 with SMTP id h7mr11433717ioi.85.1460577224229; Wed, 13 Apr 2016 12:53:44 -0700 (PDT) Received: by 10.107.10.222 with HTTP; Wed, 13 Apr 2016 12:53:44 -0700 (PDT) X-Originating-IP: [186.213.3.245] In-Reply-To: <7EDFDABA3E18439892D03F14FB01D216@gruchalski.com> References: <7EDFDABA3E18439892D03F14FB01D216@gruchalski.com> Date: Wed, 13 Apr 2016 16:53:44 -0300 Message-ID: Subject: Re: Custom IPTables rules From: Alfredo Carneiro To: user@mesos.apache.org Content-Type: multipart/alternative; boundary=001a113fb8a49e2081053063222c --001a113fb8a49e2081053063222c Content-Type: text/plain; charset=UTF-8 Hey Rad, Thanks for your answer! I have added theses lines and now looks very similar before. *iptables -N DOCKER* *iptables -A FORWARD -o docker0 -j DOCKER* *iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT* *iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEPT* *iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT* However, I am still getting errors. *docker: Error response from daemon: failed to create endpoint cranky_kilby on network bridge: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 8080 -j DNAT --to-destination 172.17.0.2:8080 ! -i docker0: iptables: No chain/target/match by that name.* * (exit status 1).* This is my iptables -L output: *Chain FORWARD (policy DROP)* *target prot opt source destination * *DOCKER all -- anywhere anywhere * *ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED* *ACCEPT all -- anywhere anywhere * *ACCEPT all -- anywhere anywhere * *Chain OUTPUT (policy ACCEPT)* *target prot opt source destination * *ACCEPT all -- anywhere anywhere * *Chain DOCKER (1 references)* *target prot opt source destination* I hid the INPUT chain because is very big! Best Regards, On Wed, Apr 13, 2016 at 4:29 PM, Rad Gruchalski wrote: > Hi Alfredo, > > The only thing you need is: > > -A FORWARD -o docker0 -j DOCKER > -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i docker0 ! -o docker0 -j ACCEPT > -A FORWARD -i docker0 -o docker0 -j ACCEPT > > Best regards, > Radek Gruchalski > radek@gruchalski.com > de.linkedin.com/in/radgruchalski/ > > > *Confidentiality:*This communication is intended for the above-named > person and may be confidential and/or legally privileged. > If it has come to you in error you must take no action based on it, nor > must you copy or show it to anyone; please delete/destroy and inform the > sender immediately. > > On Wednesday, 13 April 2016 at 21:27, Alfredo Carneiro wrote: > > Hello guys, > > I don't know if that is the right place to ask. So, since we use public > cloud, we are trying to hardening our servers allowing traffic just from > our subnetworks. However, when I tried to implement some iptables rules I > got problems with Docker, which couldn't find its chain anymore. > > Then, I am wondering if anyone has ever implemented any iptables rule in > this scenario. > > I've seen this[1] "tip", however, I think that it is not apply to this > case, because it is very "static". > > [1] - https://fralef.me/docker-and-iptables.html > > Best Regards, > > -- > Alfredo Miranda > > > -- Alfredo Miranda --001a113fb8a49e2081053063222c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hey Rad,

Thanks for your answer! I have= added theses lines and now looks very similar before.

iptables -N DOCKER
iptables -A FORWARD= -o docker0 -j DOCKER
iptables -A FORWARD -o docker0 -m co= nntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -= A FORWARD -i docker0 ! -o docker0 -j ACCEPT
iptables -A FO= RWARD -i docker0 -o docker0 -j ACCEPT

Ho= wever, I am still getting errors.

d= ocker: Error response from daemon: failed to create endpoint cranky_kilby o= n network bridge: iptables failed: iptables --wait -t nat -A DOCKER -p tcp = -d 0/0 --dport 8080 -j DNAT --to-destination 172.17.0.2:8080 ! -i docker0: iptables: No chain/target/match by t= hat name.
=C2=A0(exit status 1).
This is my iptables -L output:

=
Chain FORWARD (policy DROP)
target =C2=A0 =C2= =A0 prot opt source =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 destin= ation =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0
DOCKER =C2=A0 =C2= =A0 all =C2=A0-- =C2=A0anywhere =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 a= nywhere =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
ACCEPT = =C2=A0 =C2=A0 all =C2=A0-- =C2=A0anywhere =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 anywhere =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ctstate RELAT= ED,ESTABLISHED
ACCEPT =C2=A0 =C2=A0 all =C2=A0-- =C2=A0any= where =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 anywhere =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0
ACCEPT =C2=A0 =C2=A0 all =C2=A0--= =C2=A0anywhere =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 anywhere =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0

C= hain OUTPUT (policy ACCEPT)
target =C2=A0 =C2=A0 prot opt = source =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 destination =C2=A0 = =C2=A0 =C2=A0 =C2=A0=C2=A0
ACCEPT =C2=A0 =C2=A0 all =C2=A0= -- =C2=A0anywhere =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 anywhere =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0

= Chain DOCKER (1 references)
target =C2=A0 =C2=A0 prot opt = source =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 destination

I hid the INPUT chain because is very bi= g!

Best Regards,

On Wed, Apr 13, 2016 at 4:29 PM, Rad Gr= uchalski <radek@gruchalski.com> wrote:
Hi Alfredo,

The only thing you need is:
=

-A FORWARD -o docker0 -j DOCKER
-A FORWA= RD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i dock= er0 -o docker0 -j ACCEPT
=09 =09 =09

=09 =09 =09

=09 =09 =09

=09 =09 =09

Best regards,=E2=80=A8Radek Gruchalski
=E2=80=A8radek@gruchalski.com=E2=80=A8
de.linkedin.com/in/radgruchalski/=

= Confidentiality:
This communication is intended for the above-named person and may be confidential and/or legally privileged.
If it has come to you in error you must take no action based on it, nor must you copy or show it to anyone; please delete/destroy and inform the sender immediately.

=20

On Wednesday, 13 April 2016 at 2= 1:27, Alfredo Carneiro wrote:

Hello guys,

I don't know if that is the right place to ask. So, since we u= se public cloud, we are trying to hardening our servers allowing traffic ju= st from our subnetworks. However, when I tried to implement some iptables r= ules I got problems with Docker, which couldn't find its chain anymore.=

Then, I am wondering if anyone has ever implement= ed any iptables rule in this scenario.

I've se= en this[1] "tip", however, I think that it is not apply to this c= ase, because it is very "static".


B= est Regards,

--
A= lfredo Miranda
=20 =20 =20 =20
=20




<= /div>--
Alfredo Miranda=
--001a113fb8a49e2081053063222c--